ZenCash is currently under threat of a zero-day attack announced by the former lead developer of the Zen node and Eleos wallet code. Shortly after announcing his intention of leaving the project, he also announced and made public a method of attacking the Zen blockchain.

The other members of the Zen founding team, Rob Viglione, Rolf Versluis, and Jane Lippencott, are grateful for all the hard work put into the project by Joshua Yabut when he was the lead developer, and thankful for the notification of the potential zero day attack. We will definitely miss him being on the team.

The nature of the attack could lead to a transaction replay from the Zclassic blockchain to the Zen blockchain. There was replay protection put in place for the launch of Zen, but due to the warning it appears more replay protection would be prudent.

Based on the threat, the Zen Core team has asked our primary exchange partner, Bittrex, to protect their holdings by putting the ZEN wallet into maintenance mode until the code has been reviewed. This does not stop trading on the exchange, only the deposit and withdrawal of Zen funds. This is a short term measure.

The Zen blockchain is intact, no funds have been lost to the best knowledge of the Zen team, and the mitigation plan is already in place.

The mitigation plan is:

Take a snapshot of the existing blockchain.

Review the Zen code for issues (already in progress).

Implement whatever measures are necessary to get the Zen code base to a reliable state.

After the short term mitigation plan, the Zen Core team will continue to work with an industry leading development team, IOHK, to continue development and improvement of the ZenCash software to follow along with the vision laid out in the Zen White Paper.

IOHK developers have already been working with Zen and were very helpful in identifying and fixing the code issue that caused the Zen launch delay. They are also in the process of performing the code review for security.

The Zen team is excited about the opportunity to continue to grow and develop the ZenCash cryptocurrency and is thankful to the many community members, contributors, miners, mining pool operators, purchasers of ZenCash, and exchanges (especially Bittrex!) who have expressed support and encouragement for the project.

We intend to continue to provide an update twice daily on the status of the short term issue, and will then resume consistent communications and activity as we work together to realize the vision in the Zen white paper.

For a project that’s supposed to take security seriously, this is an incredibly weak update.

* Where was the 0-day dropped and under what circumstances?
* Why such an blatant violation of our industry’s standard practice of responsible disclosure being thanked instead of reprimanded?
* Why are there no details on what your policy for responsible disclosure is.

What you’re telling people watching this project is that this is how you expect information to be shared in the future, this is how security incidents are to be dealt with and this is how developers leaving your projects should handle these issues in the future.

I understand not wanting to reprimand one of your own, but someone just irresponsibly published an attack against the network with you thanking him. You’re supposed to have the networks interest at heart, this tells us you don’t.

As far as security practices goes this is amateur hour and you know it.

“are grateful for all the hard work put into the project by Joshua Yabut when he was the lead developer, and thankful for the notification of the potential zero day attack. We will definitely miss him being on the team.”

We were in the middle of confirming Bittrex had a chance to update their servers before disclosing it. We had agreed on that.

He made the disclosure before the biggest vulnerable systems we knew of had confirmed mitigation. And in his disclosure he told people how to do the attack. It was publicly done in the slack with hundreds of witnesses, and maybe on twitter.

He was not asked to leave the project. He left on his own in a very public way.